|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
· AddSoft doesn't just E-Mail or post HTTP. It also uploads via FTP and Zips your application archive when required. How does another package submit to a site like Tucows? They require you to manually upload your file.
· AddSoft has *TRUE* automated support for major sites like ZDNet, BHS, Simtel -- Not just partial or limited support.
· AddSoft creates site-specific readme files when required. If you have ever submitted to Simtel or Winsite, you know how time consuming it can be to try to meet the exact specifications. The others don't handle this, and AddSoft does it all.... automatically.
· AddSoft comes with a site builder that allows you to add sites not supported by AddSoft. No need to submit a request to add a new shareware site. Just add it yourself with our comprehensive scripting. The others require you to download an update if there is a change, or new sites.
· AddSoft is reasonably
priced at just $89.00. How much is your time worth? You will
surely pay for it many times over in time saved the first time you use
it."
|
|
On successful *registration* the following
values are placed in this key:
Convert210
= 1
RN
= 298051659
UN
= THE SANDMAN
|
|
Other ways to make life *difficult* for crackers
is for the programmers to study the toolz that will ultimately crack their
software, find it's weaknesses, for instance, I've already see some code
that can disrupt dead listings created by W32Dasm and IDA Pro so if I can
find this information so can you.. Enough said, lets wrap this babe
up..
Create a Dead Listing of Addsoft.exe using
W32Dasm, then open up the program's String Data Resource and search for
the text "Thanks for Registering! :)". Talk about neon signs, this
one is positively flashing!. Double-click on this text and W32Dasm
will now display this code snippet.
:00480179 E8EE4EFFFF
call 0047506C
:0048017E 8BD8
mov ebx, eax
:00480180 A118444A00
mov eax, dword ptr [004A4418]
:00480185 8B00
mov eax, dword ptr [eax]
:00480187 889875070000
mov byte ptr [eax+00000775], bl
:0048018D A118444A00
mov eax, dword ptr [004A4418]
:00480192 84DB
test bl, bl
:00480194 740A
je 004801A0
:00480196 B8E0014800
mov eax, 004801E0 ;"Thanks for registering! :)"
:0048019B E898D3FBFF
call 0043D538
As newbie crackers we should test this section
of code in order that we might understand the following:-
1. To
see what values are returned from the Call 0047506C that might look useful
from our point of view..
2.What
value is stored in the low byte of ebx (bl) because not only is this
value being saved into a memory location it is being tested by the instruction
test bl,bl.
Right, in order to get into the program's
code using Softice you will need to press Ctrl-D
in order to fire up Softice.
Type: bpx messageboxa
then X to leave Softice.
Now run AddSoft and click Continue
at the Nag Screen. Once in, select the File
menu option THEN the View Reports option.
Softice now breaks at the beginning of the system function GetWindowTexta.
From here press the 'F11' once and your
now in Addsoft's program code.
Now type:
bc * to clear
away our previous breakpoint. We don't need it any more.
u 00480179
to display where our next breakpoint will be.
bpx 00480179
to create our Softice Breakpoint.
X to leave
Softice.
Now every time you run Addsoft and try to register it using random numbers for your serial number Softice will always break on our single breakpoint. Now go and try it out. Once you've done this you should know the following about the above code snippet:-
:00480179 E8EE4EFFFF
call 0047506C ;Create then check both serials.
;Returns with:
;BL = 0 if serial No invalid.
;BL = 0Ch if serial correct
;EAX = 1 if serial correct
;ECX = 1 if serial correct
:0048017E 8BD8
mov ebx, eax
:00480180 A118444A00
mov eax, dword ptr [004A4418]
:00480185 8B00
mov eax, dword ptr [eax]
:00480187 889875070000
mov byte ptr [eax+00000775], bl ;*REG FLAG*
;0=Unregistered
;1=Registered
:0048018D A118444A00
mov eax, dword ptr [004A4418]
:00480192 84DB
test bl, bl
:00480194 740A
je 004801A0 ;Beggar off cracker
:00480196 B8E0014800
mov eax, 004801E0 ;"Thanks for registering! :)"
:0048019B E898D3FBFF
call 0043D538
For those who have
already tried, you can't place a value of '1' into the low byte of the
ebx register once you've executed the call 0047506c in order to try and
fool the program because it will perform other checks down the line.
You also can't nop out the je 004801A0 instruction in order to force the
program to register itself because again, the program performs checks to
see if certain memory locations have also been updated when the User's
serial number was found to be correct.
OK, lets now follow
where the call 0047506C takes us..
*
Referenced by a CALL at Addresses: :00480179 , :0049C301
;Address
00480179 is used when the User tries to register this program.
;Address
0049C301 is used at Run-Time to check if the User has already
;registered
this program.
:0047506C
55
push ebp ;Save
register ebp on STACK
:0047506D
8BEC
mov ebp, esp ;Adjust ebp
:0047506F
6A00
push 00000000 ;Save empty mem locations
:00475071
6A00
push 00000000 ;on to the
:00475073
6A00
push 00000000 ;STACK
:00475075
53
push ebx ;Save
new changes
:00475076
56
push esi ;Save
register esi address
:00475077
8BF0
mov esi, eax ;swap esi with eax
:00475079
33C0
xor eax, eax ;zero eax register =
00000000
:0047507B
55
push ebp ;save
new changes
:0047507C
6811514700 push 00475111 ;save
this address
:00475081
64FF30 push
dword ptr fs:[eax] ;save
address
:00475084
648920 mov
dword ptr fs:[eax], esp ;update eax
:00475087
33DB
xor ebx, ebx
;ebx = 00000000
;
Memory address [ebp-04] is empty at this point, but will shortly contain
;
a memory address that points to where our User name will be stored so
;
that this serial generating routine can find and use it.
:00475089
8D55FC lea
edx, dword ptr [ebp-04] ;see above
:0047508C
8BC6
mov eax, esi
:0047508E
E85DFDFFFF call 00474DF0 ;Place
address of where our
;User Name is into [ebp-04]
:00475093
8B45FC mov
eax, dword ptr [ebp-04];eax = User name
:00475096
E855ECF8FF call 00403CF0
;Get length of User Name
:0047509B
85C0
test eax, eax ;is
User Name empty?
:0047509D
7457
je 004750F6
;yes? then exit routine
;
Memory address [ebp-08] is empty at this point, but will shortly contain
;
a memory address that points to where our *fake* serial will be stored
so
;
that this serial generating routine can find and use it.
:0047509F
8D55F8 lea
edx, dword ptr [ebp-08];See above.
:004750A2
8BC6
mov eax, esi ;Copy esi register to
eax register
:004750A4
E80FFEFFFF call 00474EB8 ;Place
address of where our serial
;is into [ebp-08]
:004750A9
8B45F8 mov
eax, dword ptr [ebp-08] ;eax=our fake serial
:004750AC
E83FECF8FF call 00403CF0 ;Calculate
length of our serial
:004750B1
85C0
test eax, eax ;Is Serial Number empty?
:004750B3
7441
je 004750F6 ;yes? then exit
routine.
;
Memory address [ebp-0C] is empty at this point, but will shortly contain
;
a memory address that points to where our *REAL* serial will be stored
so
;
that this serial generating routine can compare it with whatever we
have
;
typed in.
:004750B5
8D4DF4 lea
ecx, dword ptr [ebp-0C];See above.
:004750B8
BACE070000 mov edx, 000007CE
:004750BD
8B45FC mov
eax, dword ptr [ebp-04] ;eax = User Name
:004750C0
E84BCBFFFF call 00471C10 ;Place
in memory location
;[ebp-0C] the address of
;where we can find our
;*real* serial number.
:004750C5
8B45F4 mov
eax, dword ptr [ebp-0C] ;eax=*REAL* SERIAL!
:004750C8
8B55F8 mov
edx, dword ptr [ebp-08] ;edx=*FAKE* SERIAL!
:004750CB
E830EDF8FF call 00403E00
;Compare both serials
So, once you get to
the memory segment: 004750C8 all you need to do is type: d eax and the
serial number based on your User Name/Handle will be revealed to you.
Job Done.
|
|
|
|
|
|
Ripping off software through serials and
cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Next | Return to Essay Index | Previous |